so i have an ORDS endpoint (Oracle Rest Data Services) that receives a JSON payload from Facebook API, and a variable, X-Hub-Signature, which comes in the header of the request.
i have to validate the request i receive, so i know it’s from Facebook.
i have to generate a hash that receives the payload (BLOB) and a key (string) that both facebook and i share (app_secret), and then i compare it to the value of X-Hub-Signature, so i can confirm it’s a valid request.
problem is, Facebook says:
“Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string äöå should be escaped to u00e4u00f6u00e5.”
So far my hashes are a match to the payloads i receive, but i tried with those äöå characters and i can’t know for sure if it’s working, since all hmac online encoders don’t look that good and also i don’t know how to unicode escape them (on the online encoders).
so far i have this:
FUNCTION validate_payload (p_x_hub_signature in varchar2,
p_json_payload in blob)
RETURN varchar2
IS
v_app_secret varchar2(4000) := '2f2f2f2f2f2f2f';
l_mac raw(10000);
v_x_hub_signature varchar2(4000);
BEGIN
l_mac := dbms_crypto.mac (src => p_json_payload,
typ => dbms_crypto.hmac_sh1,
key => UTL_I18N.STRING_TO_RAW (v_app_secret, 'AL32UTF8'));
v_x_hub_signature := 'sha1='||lower(l_mac);
return v_x_hub_signature;
END;
can you give any feedback on this?
is this right?
thanks in advance, sorry bad english or explanation!
3
Answers
i just realized, i may have induced you into error. as Sentinel mentioned, v_app_secret doesn't need to be translated, only p_json_payload, which is a BLOB.
so far i've come up with this: do you think it's okay? i have no way to know for sure :/
Here is a PL/SQL solution. It requires less coding than Sentinel’s proposal and might be more clear.
Assuming
needs to be translated to
\
Starting with @Wernfried Domscheit’s method of using
ASCIISTR
andregexp_replace
, it can be extended to a whole list of replacements to get the lower case versions:If you want a PL/SQL function to do it, the series of transformations can be nested up and put in a function. If you don’t want the final transformation of u005c to just remove the outer regexp_replace: